1

ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop

February 14, 2007

R. Kevin Oberman Network Engineer

Lawrence Berkeley National Laboratory

2

Overview

• Why is ESnet implementing DNSSEC?

• What is required? UPDATED

• How will DNSSEC be implemented in ESnet?

o NIST SP800-81- Implementation recommendations

- http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf

o NIST SP800-53 Rev. 1- FISMA Requirements

- http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf

3

What is Required?

• OMB mandate in NIST SP800-53 Rev. 1 o TSIG for zone transfers

- Has operational advantages beyond security enhancement

- Firewall rules may cause issues

- Required by SC-8 (Not obvious!)

o Signed data only required by medium and high impact systems

- Seems silly if it is not a general requirement

- In SC-20 through SC22

4

Where is ESnet ?

• TSIG authentication of all zone transferso Partly implemented

o Most larger sites are using it

o Some sites have old software lacking support

o Some sites have firewall rules which complicate issues

• Signing of all forward zoneso Test server is in service and working

o As expected, key management IS a pain

5

Status of Implementation

• TSIG is currently implemented for several siteso Mandatory for new sites

o PGP used for key distribution

• Signed datao Still not running on production servers

- Will be in a few weeks

o Our DNS management software does not support DNSSEC today (coming soon!)

o No implementation problems on BIND systems

o Still worried about key distribution and roll-over

o Still targeting full production by mid-2008

6

Summary

• Progress has been made

• Requirements are now knowno None (for ESnet)

• Hope for full implementation of TSIG by the end of the year

• Signed zones by the end of the year (ESnet zones)

• Still waiting on a final resolution to NSEC issueo Almost certainly NSEC3

o Will not ask sites to sign zones until resolved

o That does not mean that you can't sign